Today we’ll show you, how to Set Up and Configure a Firewall with FirewallD on CentOS 7. FirewallD is a firewall management system available by default on CentOS 7 servers. Basically, it is a wrapper around iptables. One of the biggest benefits of introducing new firewall system is that the old firewall needs a restart after making every change, while with firewalld only differences are applied. The setup and configuration of FirewallD on CentOS 7 is an easy process and should not take more time.

Before applying any firewalld rules, first, make sure to check whether firewalld service enabled and running.

systemctl status firewalld

FirewallD uses services and zones instead of iptables rules and chains. To check all the active zone and service:

It comes with graphical configuration tool firewall-config and command line tool firewall-cmd. In case, if you’re not familiar with command line, you can also manage firewalld from the GUI, for that purpose you need to installed GUI package on the system by using the following command.

# yum install firewalld firewall-config

1. Add and Remove Ports in Firewalld

To open any port for the public zone, use the following command. For example:

# firewall-cmd --permanent --zone=public --add-port=80/tcp

Similarly, to remove added port, just use the ‘–remove‘ option with firewalld command as shown below.

# firewall-cmd --zone=public --remove-port=80/tcp

After adding or removing specific ports, make sure to confirm whether the port is added or removed by using ‘–list-ports‘ option.

# firewall-cmd --zone=public --list-ports

2. Add and Remove Services in Firewalld

By default firewalld comes with pre-defined services, if you want to add specific services, you need to create a new XML file with all services included in the file or you can also define or remove each service manually by running following commands.

6. Firewalld Lockdown Rules

You can change the firewalld rules by any local applications, with having the root privileges. To avoid making changes to firewalld rules, we have to put a lock-down in ‘firewalld.conf‘ file. This mostly help to protect the firewalld from any unwanted rules changes by any applications.

# nano /etc/firewalld/firewalld.conf

Change no to yes

Lockdown=yes

To make it permanent reload the changes using ‘–reload‘.

# firewall-cmd --reload

After making above changes, you can verify whether firewalld was lockdown using query.

# firewall-cmd --query-lockdown

To On/Off lockdown mode, use the commands.

# firewall-cmd --lockdown-on
# firewall-cmd --lockdown-off

7: Enable Fail2ban-firewalld Support

To enable fail2ban support in firewalld, we need to install the package called ‘fail2ban-firewalld‘ by enabling epel repository under RHEL/CentOS systems. it also supports some additional security rules for SSH, SSH-DDOS, MariaDB, Apache etc..

After enabling epel, we will install the ‘fail2ban-firewalld‘ package using the following command.

# yum install fail2ban-firewalld -y

After installing the package, start the ‘fail2ban‘ service and enable to make it obstinate.

# systemctl start fail2ban
# systemctl enable fail2ban

8. Add & Block IP Addresses

To add specific IP address to trusted public zone, use the following command.

9. Masquerading IP Address

IP masquerading is a form of network address translation (NAT) which allows internal computers with no known address outside their network, to communicate to the outside. It allows one machine to act on behalf of other machines.

Here, we will see how to forward a port to outside the network. For example, if I want to do a ssh to my home virtual machine from anywhere, I need to forward my ssh port 22 to different port (i.e. 2222).

Before doing a port forwarding, first, make sure whether Masquerade enabled for the external zone because we are going to access the machine from outside network.

# firewall-cmd --zone=external --query-masquerade

If it’s not enabled, you can enable it by the following command.

# firewall-cmd --zone=external --add-masquerade

Now to forward all ssh port 22 connections to port 2222 for IP address 192.168.xx.xx.